Skip to content

Instantly share code, notes, and snippets.

View Stick-U235's full-sized avatar

J Stick-U235

3 followers · 1 following
  • None
View GitHub Profile
@Stick-U235
Stick-U235 / Simplistic Binary Patching With Radare2.md
Last active October 29, 2022 15:13
Simplistic Binary Patching With Radare2

Let’s just take a simple “Hello, World!” program written in C, and change it to say “Hello, Terry!” (Or insert your own name, unless you really like me).

The point of this exercise is to show how easy it can be to edit source code, which can have a huge effect. You have the ability to modify anything from simple program output, conditional statements, password verification checks, and much more.The ability to modify a programs source code allows you to gain full control over the program. Some areas will be simple to modify, while others can take an immensely large amount of time to even figure out where to look. Let's get started.

We will begin by writing and compiling the code below for the Hello program and compile it using GCC (or your favorite C compiler).

Image1

Next, we will open the program in Radare2 in write mode via the command "r2 -w HelloWorld". If you wish to play around within it rather than modifying the source code directly, we can skip opening it in

@Stick-U235
Stick-U235 / Exploiting the Integer Overflow Present Within HTTP.sys (MS15-034).md
Last active June 18, 2020 01:10
Exploiting the Integer Overflow Present Within HTTP.sys (MS15-034)

HTTP.sys is Microsoft’s device driver utilized to handle HTTP requests to a hosted web application, commonly IIS-based. HTTP.sys implemented feature enhancements that were introduced with IIS 6. Among these feature enhancements includes Kernel Caching, which allows for a more seamless experience for the user. HTTP.sys in IIS 6+ now caches responses within the kernel, which allows for the kernel to return cached data to the user in a faster manner than the previous implementation which relied on the kernel to pass the request to the worker process for the response. With less process hops, returning the response directly from the kernel cache increases speed. It should be noted that other services outside of IIS utilize HTTP.sys as well, such as netsh and servicestate.

To better understand the vulnerability we must first gain an understanding of how HTTP.sys works, and why it is vulnerable in the first place. HTTP.sys handles all requests to a web application. If the response is already cached, HTTP.sys will r

@Stick-U235
Stick-U235 / CVE-2019-10149 Exploit
Created April 19, 2020 15:08
#
# Spawns a netcat shell on port 31415 as root, then connects to it
# Vulnerablity is within Exim 4.87-4.91
#
import subprocess
import socket
import os
import time
from subprocess import Popen, PIPE
@Stick-U235
Stick-U235 / CVE-2017-6564 and CVE-2017-6565
Last active April 19, 2020 15:05
CVE-2017-6564 and CVE-2017-6565
>> [Suggested description]
>> On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices,
>> the Guest user, which contains the lowest privileges, can post to the
>> idSourceFileName parameter found within the /download directory. This
>> ability allows for an attacker to download sensitive system files from
>> the host machine such as databases which contain information that can
>> aid in further attacks.
> CVE-2017-6564.
>> [Suggested description]